The clandestine arrangement worked smoothly for years. The Israeli
company shipped its Internet-monitoring equipment to a distributor in
Denmark. Once there, workers stripped away the packaging and removed the
Then they sent it to a man named “Hossein” in Iran, an
amiable technology distributor known to them only by his first name and
impeccable English, say his partners in Israel and Denmark.RELATED:'Probe Israeli companies doing business with Iran' US lifts sanctions on Ofer group for Iran trade
trade, customs and defense officials say their departments didn’t know
that the systems for peering into Internet traffic, sold under the brand
name NetEnforcer, had gone to a country whose leaders have called for
the destruction of the Jewish state. Israel’s ban on trade with its
enemy failed, even though a paper trail on the deals was available in
The transactions illustrate how ineffective governments
have been in blocking a global trade in new, intrusive surveillance
technologies that authoritarian regimes can use as weapons for
repression. Such gear from Western companies -- including tools that
intercept e-mails and text messages, record Internet activity and map
cell phone locations -- has been used to track and torture dissidents in
countries including Iran, Bahrain, Syria and Tunisia, a Bloomberg News
investigation this year showed. It’s unclear who Hossein’s customers
were, or how the technology may have been used in Iran.‘A dirty trade’
fact that the most murderous regimes are using Western technologies for
surveillance highlights the fact that the current framework for
controlling this dirty trade is not working,” says Brett Solomon,
executive director of Access, a New York-based nonprofit that promotes
online freedom. “How long are the innocent people of Syria and Iran to
wait before Congress and the EU turn words into law?”
are ways to stem the flow of such technology, which can be used as a
weapon but isn’t regulated like one. Many companies selling surveillance
equipment that connects to the Internet have the ability to monitor
their own customers, and governments could require them to do so while
tightening export laws.
Anything connected to the Internet “can
phone home and provide some sort of location data,” says Jon Oltsik,
senior principal analyst at Milford, Massachusetts-based Enterprise
Strategy Group, a technology consulting firm. Companies often stay in
touch with their products to send software updates, and can also examine
customers’ Internet addresses to determine where the equipment is, he
The method has already proved effective, stymieing Syrian
efforts to circumvent the US embargo during a crackdown that has killed
more than 5,000 people.‘Is Ignorance Bliss?’
San Diego-based Websense, Inc., a maker of Internet- filtering software,
routinely scans the Internet addresses of prospective buyers, as well
as its 40,000 existing customers, in order to prevent its products from
going to embargoed countries or falling into the wrong hands, says
Michael Newman, the company’s general counsel and interim chief
In October, Websense blocked sales to two potential buyers, who listed
their physical addresses in Switzerland and the United Arab Emirates,
but who asked for the product to be downloaded to Internet addresses
that the company traced to Syria.
“Companies should be taking these steps,” Newman says. “The question is,
how much are you trying to know? Or is ignorance bliss?”
Spotting end-user locations
Such steps could have helped Blue Coat Systems Inc., a Sunnyvale,
California-based maker of Web security and filtering products.
Telecomix, a group that promotes online freedom, earlier this year
uncovered computer logs that showed the company’s machines being used in
Syria to filter Internet sites.
Blue Coat says its products were illegally shipped to Syria by a
distributor and it had been unaware they were there. Spokesman Steve
Schick declined further comment on the Syria sales, citing an ongoing
investigation by the US Department of Commerce.
Had Blue Coat been paying attention to the Internet addresses when
connecting with its deployed machines, it would have spotted the suspect
locations, says Peter Fein, a Chicago-based member of Telecomix.
“Claiming a lack of knowledge is no excuse anymore,” says Solomon, of
Access. “Technology can be used as a weapon and should be treated with
the same care and sold with the same due diligence.”
In this growing industry, with sales estimated at $3 billion to $5
billion, the potential for human rights abuse is profound. The 10-month
investigation by Bloomberg News documented use of Western surveillance
technology in political crackdowns and violent repression by governments
across the Middle East and North Africa.
In Bahrain, authorities used European equipment to intercept phone calls
and text messages of activists, who were confronted with details of
their communications while being arrested and tortured. Amid Syria’s
uprising, construction moved forward on a $17 million Internet
surveillance system built with US, French, German and Italian
“Stopping this trade is a shared responsibility across government and
business,” says Meg Roggensack, an adjunct professor at the Georgetown
University Law Center in Washington, DC, and a senior advisor to Human
Rights First, a non-profit organization based in New York and
Washington. “It is extremely urgent. This is playing out in real time
with real consequences for real people.”
Restricting, regulating trade
Western governments are now trying to better regulate the trade. The
European Union restricted sales of the technology to Syria after
Bloomberg News exposed the project in that country. A bill introduced in
the US House of Representatives on Dec. 8 would bar sales of
surveillance technologies by American companies to repressive regimes.
The UK’s Business Minister, Judith Wilcox, said the government was
examining a block on the sale of mobile-phone surveillance software to
Iran and Syria after Bloomberg News reported a British company sold
location-tracking technology to Iran this year for use by the regime’s
Yet efforts to date have stumbled. After the US Congress in 2010
prohibited government business with any company selling equipment to
Iran that would restrict the flow of information or speech of its
citizens, no companies were identified. Under current EU rules, each
member state makes its own export decisions, which allows regulatory
“Right now, we’re not even trying,” says Marietje Schaake, a Dutch
member of the European Parliament who is pushing for EU-wide standards.
“The digital arms trade needs more scrutiny and regulations.”
Even when they impose bans, governments struggle to track surveillance
sales. Often, technology vendors rely on distributors to sell their
products, and simply trust that it isn’t falling into hands that will
The shipments of Internet-inspection equipment from Israel to Iran illustrate the enforcement loopholes.
Allot Communications Ltd., a Hod Hasharon, Israel-based firm whose stock
trades on Nasdaq and the Tel Aviv Stock Exchange and which reported $57
million in sales last year, sold its systems to a Randers,
Denmark-based technology distributor.
Workers at that company, RanTek A/S, repackaged the gear and shipped it
to Iran, according to four former employees of Allot and RanTek. The
shipments were legal under Danish law.
Skirting a Ban
A sale as early as 2006 is corroborated by an export license application
filed by RanTek, though the name of the customer in Iran was redacted
by Danish authorities who provided the document to Bloomberg News.
The former employees identified the buyer as the technology distributor, Hossein.
The sales skirted a strict Israeli ban that prohibits “trading with the
enemy,” including any shipments that reach Iran, Syria and Lebanon.
“This covers everything,” says Gavriel Bar, manager of the Middle East
department at Israel’s Ministry of Industry, Trade and Labor. “Imports,
exports, direct, indirect. An Israeli company is not allowed to trade
with Iran in any way.”
Three former sales employees for Allot say it was well known inside the
company that the equipment was headed for Iran. Allot officials say they
have no knowledge of their equipment going there and are looking into
“We do not authorize any sales to Iran,” says Jay Kalish, executive
director of investor relations at Allot. If its products were shipped
there by RanTek, it would be a “breach of contract,” he says.
Kalish says it’s challenging to track where its products go after
they’ve been sold. Customers often don’t connect digitally to Allot,
making electronic tracking difficult. The company has hundreds of
distributors and their products have even appeared for sale on eBay, he
The product sold by Allot, NetEnforcer, conducts “deep-packet
inspection” of networks. The technology has commercial uses, such as
helping a mobile network operator prioritize certain types of traffic or
But deep-packet inspection has also been used to snoop into e-mails in
countries including Tunisia, even allowing officials to change the
contents, Bloomberg News found. It can also prevent activists from using
the Web anonymously, leading to arrest and torture in countries such as
Iran, says Ben Wagner, of the European University Institute near
Florence, Italy, who has studied the technology.
“I cannot conceive a way that DPI could be exported to Iran without a concern,” he says.
Allot’s Kalish says the equipment sold through RanTek was best suited
for managing a company’s Internet traffic and lacked the capacity for
wide-scale Internet surveillance.
RanTek officials didn’t respond to e-mails and phone calls seeking comment.
The lax controls on the Israeli technology shipments, which didn’t
require export licenses, contrast with tighter restrictions on weapons
sales, which do need licenses.
Companies such as Allot are almost on an honor system to comply with the
rules, says Rifat Azam, a professor of international business law at
the Interdisciplinary Center, in Herzliya.
In the absence of strong laws and policing, bad press and the threat of
reputational damage has spurred companies to curb dealings with
A reputational risk
Area SpA called off construction of the Internet surveillance system in
Syria only after Bloomberg’s story was picked up by Italy’s major
newspapers and sparked a protest by Syrian and Internet-freedom
activists outside the company’s headquarters near Milan. The coverage
also spurred an online petition by Access that gathered more than 10,000
signatures calling for a stop to the Syria project.
Paris-based Qosmos SA, which had supplied deep-packet inspection probes
for Area’s Syria system, said when contacted for the story that it had
already decided to pull out. Qosmos’s head of marketing, Erik Larsson,
later added that the company would exit all work in interception and
focus on other uses of the technology, such as market research and
“We don’t want to be in that business because we don’t have the control
and there’s not enough regulation,” he said. “If you’re using it to
track down opponents and torturing them and killing them, then the
technology is in the wrong hands.”
In the case of Iran, Dublin-based AdaptiveMobile Security Ltd. had sold
and proposed systems for blocking and filtering text messages. When
asked about the Iran business for a Bloomberg News story, the company
said it plans to cease doing business in Iran when its contract is up in
2012, because continuing in the country’s current political climate
could damage its reputation.
Measures that governments could take include examining the trade records
of foreign customers. Such checks of public records in Denmark would
have exposed the shipments of Israeli goods to Iran.
For now, self-regulation by companies may be critical to any recipe for change.
In a Dec. 8 speech, US Secretary of State Hillary Clinton said
lawmakers’ efforts to employ sanctions and control surveillance exports
will only go part of the way.
“In the 21st century, smart companies have to act before they find themselves in the crosshairs of controversy,” she said.
Websense says self-policing kept it from falling afoul of Syria
sanctions in October. The company also can refuse to provide updates,
shutting down a product within weeks if it moves to a location where
Websense doesn’t want it or if the company finds it’s being used for
repression, Newman says.
It took such steps in 2009, for example, when it learned that two of its
customers in Yemen were using its products to carry out government
censorship of the Internet, says Newman.
In a digital arms race that pits repressive regimes against their
citizens, says Access executive director Solomon, anything that loosens
the tyrants’ grip on electronic communications might just save lives.